wireguard: init wireguard service

2023-02-24 12:08:29 +01:00 · 2023-02-24 12:08:29 +01:00 · ed5623256c
parent 8920ce2ec5
commit ed5623256c
6 changed files with 76 additions and 0 deletions
--- a/modules/profiles/desktop.nix
+++ b/modules/profiles/desktop.nix
@ -96,6 +96,7 @@ with lib; {
      openvpn.enable = true;
      printing.enable = true;
      redshift.enable = true;
      wireguard.enable = true;
    };
  };
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -12,5 +12,6 @@
    ./picom.nix
    ./printing.nix
    ./redshift.nix
    ./wireguard.nix
  ];
 }
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -0,0 +1,41 @@
 { config
 , lib
 , pkgs
 , ...
 }:
 with lib;
 let
  cfg = config.my.services.wireguard;
 in
 {
  options.my.services.wireguard.enable = mkEnableOption "wireguard";
  config = lib.mkIf cfg.enable {
    age.secrets = {
      wireguard-private-key.file = ../../secrets/wireguard-private-key.age;
      wireguard-preshared-key.file = ../../secrets/wireguard-preshared-key.age;
    };
    networking.firewall = {
      allowedUDPPorts = [ 51820 ];
    };
    networking.wg-quick.interfaces = {
      wg0 = {
        autostart = false;
        address = [ "10.8.0.3/24" ];
        listenPort = 51820;
        privateKeyFile = "/run/agenix/wireguard-private-key";
        peers = [
          {
            publicKey = "bT/U8ko3i//vH8LNn2R56JkGMg+0GLFrZSF81BBax08=";
            presharedKeyFile = "/run/agenix/wireguard-preshared-key";
            # Forward all the traffic via VPN.
            allowedIPs = [ "0.0.0.0/0" ];
            endpoint = "wg.moritzboeh.me:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -18,4 +18,6 @@ in
  "spotifyd.age".publicKeys = all;
  "ssh-home.age".publicKeys = all;
  "uni-vpn.age".publicKeys = all;
  "wireguard-preshared-key.age".publicKeys = all;
  "wireguard-private-key.age".publicKeys = all;
 }
--- a/secrets/wireguard-preshared-key.age
+++ b/secrets/wireguard-preshared-key.age
@ -0,0 +1,16 @@
 age-encryption.org/v1
 -> ssh-ed25519 CjuqfA HUg3FETh6ezG8DcEaFW/VYrzKoqpGKpWQKk2R+e4zzM
 Hnj5vK3gT2+BpGVYfQBPnosUiBgp2shs4g3Va1Z1JzU
 -> ssh-ed25519 QRYDmg vc5Qzx8lbFF6BYV/BVNDv7+4tvwdGV8nyUHoVEr1yEA
 mp4s4Kg7UcS6HEcaZaFhypPQh6BzeeovpEzxn0Q91Q4
 -> ssh-ed25519 wG6LYg ZDy84tJ1nyrtCdOVlF464rPAmWEQXcP11B30+ccXJ2k
 i+efuVas6vT9K55/soO2SOLxo29heQTR12gO5gx5SSI
 -> ssh-ed25519 ZYd7Zg jmWJkTLgzrt3nU7KA3xRU37T3EriWngdbCC4GwS/pik
 PYtUFRBv8yIuHgDrMJNdrsUsqjjKc/+hmvj1+pY3MpQ
 -> ssh-ed25519 as9VYQ qpAgrLdj/1tLgGSH/ixGisVSBAoDB2A/nednmGKqLiM
 AD6i7RrNgXcPW6ebr8T1vwsbGDQkWX/zNX7kLZ1bkTI
 -> syy03-grease G1Yn Zq| $0
 EmxSuXdlQfAHuTHTAd4nvyFFhfOVswM9F79VwDNuXVkf/SatEO2uhCM4RmInrNhP
 a7U1TNxhGd4HuT0k5wqaN2Vr67adR6Hh024vaTxw9OHneQ
 --- 7AIOs1wK0DIhK+AVkPDlOZjzFLfhsqZlWXVkLnXNcN8
 !È®¼^Ã.CJ°„¸ ª]¼J<C2BC>N‚§Äºfú0¼'Äajy+
î?;à¼…Üw0<77>w<>ÒE`Sß¤¥¯Ò'¬Lá#1½Ò×ET¤.k=÷
--- a/secrets/wireguard-private-key.age
+++ b/secrets/wireguard-private-key.age
@ -0,0 +1,15 @@
 age-encryption.org/v1
 -> ssh-ed25519 CjuqfA EQLHOBOVfp+j3x+coXt1isDkG+LvsSYkU8PT1cg97FQ
 NJWJKvmN4hUHsC34n1ap4HlipC0rGWlqrbgR4vm91YY
 -> ssh-ed25519 QRYDmg LOvHPzC4zfX2rlQBxYwHoHhjftCyWnBRLXZ/aB1ekQM
 lVtsflczWZwhBx4FZeJK6jtcUCvwQKIA5Gmbth2to9U
 -> ssh-ed25519 wG6LYg nqcLDqaVL7D0seK7kW52vmG/lm0Nd28lBroYrRMVynI
 oYA8E4DDR26gpRCdJMWtzoGvUTErI6GMSdF99kTNKtc
 -> ssh-ed25519 ZYd7Zg vz3LZxq0+KTx6E4J0X6duivLP0TFtA8WaOQaiSmMcF4
 5g+3H/6J9FjsWifcfmEq8dz0hk4mpZhhJaEndPE3Mpw
 -> ssh-ed25519 as9VYQ VIQ18yC/qEiP66hfCwWAbAbNCBypB47gbWkFg/TJmWE
 MXK5RnuwAlKt676CPO0N/3BeM9gsgMPZNEG1DXq8uXA
 -> 8kx-grease s%obC ~GOw1 C
 --- V8z981BPe2yVOaMCj2np9Vvvy/6zP8xHCFKRFwsceXs
 ¢»„•¤ÇÜà+<2B>’Xobë_)È<zÝ¯mDPoçßê±KðÂ½ùÛÞZåé=Ø,ŒÂ¥ºt-·b+}vûçµpgÝÊU'
	þø#/89„